So when the API server receives requests with tokens that are older than one hour, then it annotates the pod with "annotations.authentication.k8s.io/stale-token". In my case I can see the following annotation. E.g.:
"annotations":{"authentication.k8s.io/stale-token":"subject: system:serviceaccount:kube-external-secrets:external-secrets-oidc, seconds after warning threshold: 424"
Version:
kubernetes-external-secrets:8.5.5
Cluster Details:
AWS EKS 1.22
Steps to reproduce issue
Enable EKS Audit Logs
Query CW Insights (select cluster log group):
fields @timestamp
| filter @message like /seconds after warning threshold/
| parse @message "subject: *, seconds after warning threshold:*\"" as subject, elapsedtime
Flydiverny
commented
2 years ago
Hi,
the "Bound Service Account Token Volume" is graduated to stable and enabled by default in Kubernetes version 1.22. I am using "kubernetes-external-secrets:8.5.5" in AWS EKS 1.22 and I have checked, if it is using stale tokens (regarding https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html and https://docs.aws.amazon.com/eks/latest/userguide/troubleshooting.html#troubleshooting-boundservicetoken).
So when the API server receives requests with tokens that are older than one hour, then it annotates the pod with "annotations.authentication.k8s.io/stale-token". In my case I can see the following annotation. E.g.:
"annotations":{"authentication.k8s.io/stale-token":"subject: system:serviceaccount:kube-external-secrets:external-secrets-oidc, seconds after warning threshold: 424"Version:
kubernetes-external-secrets:8.5.5
Cluster Details:
AWS EKS 1.22
Steps to reproduce issue